16dd46b6c16cce395f746f7a6d7ae5ff625b70279784c6e8b28ee40fb492a94d

General

Target

9b8f9b5a094eb038fa8d01b0ca2f75f4.exe
Size

284KB
MD5

9b8f9b5a094eb038fa8d01b0ca2f75f4
SHA1

f1848e34085590976704fa84e8b6dfd534d11271
SHA256

16dd46b6c16cce395f746f7a6d7ae5ff625b70279784c6e8b28ee40fb492a94d
SHA512

74cf31c44ebb3404df0c5d14ad8eb147c3c1703f6f09ad141ad11aa571b0e2d5df817ee42128c6a8c8a2f1c34f38c35c50f7808ac7186d8780b99a2fe6ca6d76
SSDEEP

6144:+XOlvdqWLqOKz/B5RyaynzgvGq6JhW70Qgtm0DT1x:+XO/zLu/B5YzFHNtm0

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

axaz.exe

pid process

1248 axaz.exe
Loads dropped DLL 2 IoCs

Processes:

9b8f9b5a094eb038fa8d01b0ca2f75f4.exe

pid process

2408 9b8f9b5a094eb038fa8d01b0ca2f75f4.exe
2408 9b8f9b5a094eb038fa8d01b0ca2f75f4.exe

pid	process
2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe
2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

axaz.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\{334A3548-CEF1-AD4E-EADF-D61AC06FF507} = "C:\\Users\\Admin\\AppData\\Roaming\\Fugih\\axaz.exe"	axaz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9b8f9b5a094eb038fa8d01b0ca2f75f4.exe

description pid process target process

PID 2408 set thread context of 1244 2408 9b8f9b5a094eb038fa8d01b0ca2f75f4.exe cmd.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1688 1244 WerFault.exe cmd.exe

description	pid	process	target process
PID 2408 set thread context of 1244	2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe	cmd.exe

pid	pid_target	process	target process
1688	1244	WerFault.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

9b8f9b5a094eb038fa8d01b0ca2f75f4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Privacy	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

axaz.exe

pid	process
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe
1248	axaz.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

9b8f9b5a094eb038fa8d01b0ca2f75f4.exe

description	pid	process
Token: SeSecurityPrivilege	2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe
Token: SeSecurityPrivilege	2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe
Token: SeSecurityPrivilege	2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

9b8f9b5a094eb038fa8d01b0ca2f75f4.exeaxaz.exe

pid process

2408 9b8f9b5a094eb038fa8d01b0ca2f75f4.exe
1248 axaz.exe

pid	process
2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe
1248	axaz.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

9b8f9b5a094eb038fa8d01b0ca2f75f4.exeaxaz.execmd.exe

description	pid	process	target process
PID 2408 wrote to memory of 1248	2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe	axaz.exe
PID 2408 wrote to memory of 1248	2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe	axaz.exe
PID 2408 wrote to memory of 1248	2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe	axaz.exe
PID 2408 wrote to memory of 1248	2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe	axaz.exe
PID 1248 wrote to memory of 1124	1248	axaz.exe	taskhost.exe
PID 1248 wrote to memory of 1124	1248	axaz.exe	taskhost.exe
PID 1248 wrote to memory of 1124	1248	axaz.exe	taskhost.exe
PID 1248 wrote to memory of 1124	1248	axaz.exe	taskhost.exe
PID 1248 wrote to memory of 1124	1248	axaz.exe	taskhost.exe
PID 1248 wrote to memory of 1176	1248	axaz.exe	Dwm.exe
PID 1248 wrote to memory of 1176	1248	axaz.exe	Dwm.exe
PID 1248 wrote to memory of 1176	1248	axaz.exe	Dwm.exe
PID 1248 wrote to memory of 1176	1248	axaz.exe	Dwm.exe
PID 1248 wrote to memory of 1176	1248	axaz.exe	Dwm.exe
PID 1248 wrote to memory of 1252	1248	axaz.exe	Explorer.EXE
PID 1248 wrote to memory of 1252	1248	axaz.exe	Explorer.EXE
PID 1248 wrote to memory of 1252	1248	axaz.exe	Explorer.EXE
PID 1248 wrote to memory of 1252	1248	axaz.exe	Explorer.EXE
PID 1248 wrote to memory of 1252	1248	axaz.exe	Explorer.EXE
PID 1248 wrote to memory of 1660	1248	axaz.exe	DllHost.exe
PID 1248 wrote to memory of 1660	1248	axaz.exe	DllHost.exe
PID 1248 wrote to memory of 1660	1248	axaz.exe	DllHost.exe
PID 1248 wrote to memory of 1660	1248	axaz.exe	DllHost.exe
PID 1248 wrote to memory of 1660	1248	axaz.exe	DllHost.exe
PID 1248 wrote to memory of 2408	1248	axaz.exe	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe
PID 1248 wrote to memory of 2408	1248	axaz.exe	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe
PID 1248 wrote to memory of 2408	1248	axaz.exe	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe
PID 1248 wrote to memory of 2408	1248	axaz.exe	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe
PID 1248 wrote to memory of 2408	1248	axaz.exe	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe
PID 2408 wrote to memory of 1244	2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe	cmd.exe
PID 2408 wrote to memory of 1244	2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe	cmd.exe
PID 2408 wrote to memory of 1244	2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe	cmd.exe
PID 2408 wrote to memory of 1244	2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe	cmd.exe
PID 2408 wrote to memory of 1244	2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe	cmd.exe
PID 2408 wrote to memory of 1244	2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe	cmd.exe
PID 2408 wrote to memory of 1244	2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe	cmd.exe
PID 2408 wrote to memory of 1244	2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe	cmd.exe
PID 2408 wrote to memory of 1244	2408	9b8f9b5a094eb038fa8d01b0ca2f75f4.exe	cmd.exe
PID 1244 wrote to memory of 1688	1244	cmd.exe	WerFault.exe
PID 1244 wrote to memory of 1688	1244	cmd.exe	WerFault.exe
PID 1244 wrote to memory of 1688	1244	cmd.exe	WerFault.exe
PID 1244 wrote to memory of 1688	1244	cmd.exe	WerFault.exe
PID 1248 wrote to memory of 524	1248	axaz.exe	conhost.exe
PID 1248 wrote to memory of 524	1248	axaz.exe	conhost.exe
PID 1248 wrote to memory of 524	1248	axaz.exe	conhost.exe
PID 1248 wrote to memory of 524	1248	axaz.exe	conhost.exe
PID 1248 wrote to memory of 524	1248	axaz.exe	conhost.exe
PID 1248 wrote to memory of 1688	1248	axaz.exe	WerFault.exe
PID 1248 wrote to memory of 1688	1248	axaz.exe	WerFault.exe
PID 1248 wrote to memory of 1688	1248	axaz.exe	WerFault.exe
PID 1248 wrote to memory of 1688	1248	axaz.exe	WerFault.exe
PID 1248 wrote to memory of 1688	1248	axaz.exe	WerFault.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\9b8f9b5a094eb038fa8d01b0ca2f75f4.exe
"C:\Users\Admin\AppData\Local\Temp\9b8f9b5a094eb038fa8d01b0ca2f75f4.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Roaming\Fugih\axaz.exe
"C:\Users\Admin\AppData\Roaming\Fugih\axaz.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0c9bdda9.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 116
4⤵
- Program crash
PID:1688

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "515101509-861117447683346461547443774-820906609-1964443701630615989-610760111"
1⤵
PID:524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Nyxi\maamy.ree
Filesize
366B

MD5
f746c7ef63def3169652b39a80329553

SHA1
086d428e37be309c79508e09574b6ea1856ff10c

SHA256
4102089ee5e7c4f3ca7d548747d6d7e160bad0c14bf5848f33632783c3afb83a

SHA512
3c98cd5b445a718afc20607e3db869030483f1a3b8079a8dbd134ec8d38851f15b82c0ba1faac41977199c6247b7f50bb5399038569ac898c7cc2bbe80ceb753

Download Submit
\Users\Admin\AppData\Roaming\Fugih\axaz.exe
Filesize
284KB

MD5
e199e5510366e000875a8b66dec1e16d

SHA1
b0a63397cd674e1ff914398d819d2f80161c5ead

SHA256
c59fdd306cc28694d75f54d7a2385691988750dd853482c73ec898a2c2d7d948

SHA512
3ad80e7a128ab2c8af6f67615fbaf550d5a1ad0787ea71c0716b60462537db778473ba654aa59b8c2eed7fd5f5444d60d33b92bf7c12d9b97668e78f15a4b426

Download Submit
memory/1124-17-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1124-22-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1124-20-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1124-23-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1124-24-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1176-27-0x0000000001BF0000-0x0000000001C31000-memory.dmp

Filesize
260KB

Download
memory/1176-29-0x0000000001BF0000-0x0000000001C31000-memory.dmp

Filesize
260KB

Download
memory/1176-28-0x0000000001BF0000-0x0000000001C31000-memory.dmp

Filesize
260KB

Download
memory/1176-26-0x0000000001BF0000-0x0000000001C31000-memory.dmp

Filesize
260KB

Download
memory/1248-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1248-16-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1248-19-0x00000000002B0000-0x00000000002FB000-memory.dmp

Filesize
300KB

Download
memory/1248-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1252-31-0x00000000029D0000-0x0000000002A11000-memory.dmp

Filesize
260KB

Download
memory/1252-32-0x00000000029D0000-0x0000000002A11000-memory.dmp

Filesize
260KB

Download
memory/1252-33-0x00000000029D0000-0x0000000002A11000-memory.dmp

Filesize
260KB

Download
memory/1252-34-0x00000000029D0000-0x0000000002A11000-memory.dmp

Filesize
260KB

Download
memory/1660-38-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/1660-37-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/1660-39-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/1660-36-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/1688-276-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1688-273-0x0000000077510000-0x0000000077511000-memory.dmp

Filesize
4KB

Download
memory/1688-179-0x0000000077510000-0x0000000077511000-memory.dmp

Filesize
4KB

Download
memory/1688-178-0x0000000000780000-0x00000000007C1000-memory.dmp

Filesize
260KB

Download
memory/1688-279-0x0000000000780000-0x00000000007C1000-memory.dmp

Filesize
260KB

Download
memory/2408-44-0x0000000001CC0000-0x0000000001D01000-memory.dmp

Filesize
260KB

Download
memory/2408-70-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-43-0x0000000001CC0000-0x0000000001D01000-memory.dmp

Filesize
260KB

Download
memory/2408-45-0x0000000001CC0000-0x0000000001D01000-memory.dmp

Filesize
260KB

Download
memory/2408-47-0x0000000001CC0000-0x0000000001D01000-memory.dmp

Filesize
260KB

Download
memory/2408-49-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-46-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-52-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-50-0x0000000077510000-0x0000000077511000-memory.dmp

Filesize
4KB

Download
memory/2408-54-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-56-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-58-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-60-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-62-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-64-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-66-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-68-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-42-0x0000000001CC0000-0x0000000001D01000-memory.dmp

Filesize
260KB

Download
memory/2408-72-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-74-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-76-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-78-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-80-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-82-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-140-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2408-41-0x0000000001CC0000-0x0000000001D01000-memory.dmp

Filesize
260KB

Download
memory/2408-163-0x00000000002B0000-0x00000000002FB000-memory.dmp

Filesize
300KB

Download
memory/2408-164-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-165-0x0000000001CC0000-0x0000000001D01000-memory.dmp

Filesize
260KB

Download
memory/2408-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-1-0x00000000002B0000-0x00000000002FB000-memory.dmp

Filesize
300KB

Download
memory/2408-0-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads